3

As a quick background we have spam that is being sent out with our domain name. As a result we have added SPF record to our domain DNS, now obviously this will assist in making sure this spam is not delivered however the question is if this spam is actually originating from our server. We received an abuse report from our host provider with the following headers

Received: from mx.poczta.onet.pl (unresolved [10.174.34.83]:53105)
    by ps15.m5r2.onet (Ota) with LMTP id 6B66CFF656749
    for <x>; Fri, 10 Mar 2017 23:36:17 +0100 (CET)
Received: from www.mydomain.com (unknown [xxx.xxx.xxx.xxx])
    by mx.poczta.onet.pl (Onet) with ESMTP id 3vg2DJ4tX1z92
    for <x>; Fri, 10 Mar 2017 23:36:16 +0100 (CET)
Date: Fri, 10 Mar 2017 17:36:15 -0500
To: x
From: Bethany <bethany@mydomain.com>
Subject: [SPAM] Do you want to give your man a strong...?
Message-ID: <8399________________________58f3@www.mydomain.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_8399a58bdbb7157cb3aeb3dc3e3f58f3"
Content-Transfer-Encoding: 8bit
X-ONET_PL-MDA-SEGREGATION: 0
X-ONET_PL-MDA-Version: 1.0.25
X-ONET_PL-MDA-Info: 015 35161 6B66CFF656749 1.000000
X-ONET_PL-MDA-From: bethany@mydomain.com
X-ONET_PL-MDA-Spam: YES

NOTE: I have dubbed out all places that include my domain with "mydomain.com" and my servers actual IP with xxx.xxx.xxx.xxx. All other uncensored information has no relation to me that I am aware of.

My understanding of SMTP headers is that ONLY the top line "received" is true and any "Received" below that is forged. If this is the case would that not mean that the spam is actually originating from the spammer @ "10.174.34.83" and not my own IP xxx.xxx.xxx.xxx?

May also be worth noting that Bethany@mydomain.com is not a valid email as well and does not exist. We use GSuite for our emails.

Jacob Sharkey
  • 33

1 Answers1

8

Please don't obfuscate your server's identity. It make it impossible to check the DNS configuration to assist you.

You are incorrect in believing that all received are forged. However, they may be. Given the headers you have provided, if the IP on the second header is correct and that IP does not pass rDNS validation, it may well originate from your network. I assume the IP is not from your mail server, as its IP address should have passed rDNS validation.

A few things you can do:

  • Look for unexpected software running on the server with the IP address in the second header.
  • Block all internet traffic on port 25 for all servers except your mail server(s).
  • Investigate inplementing DMARC for your domain. This should give you a quick indication if you really are originating spam as well as the IP addresses it is originating from.
  • On your mail server, block all outgoing traffic on port 25 form user ids other than the one your mail server runs as.
  • Ensure your SPF policy ends -all, and only lists your outgoing mail servers.
  • Add an SPF record to all non-mail originating domains (such as www) specifying a policy of -all.
  • Add an SPF record to your mail servers domain(s) specifying a policy of A -all
  • Ensure you mail server does not forward mail from the internet unless the user has authenticated. This should only be allowed on the submission port (587). With the given headers this should not be the case unless you remove received headers when sending mail.
  • Develop and implement an email policy such as mine.
BillThor
  • 28,293
  • 3
  • 39
  • 70